Thursday, October 22, 2009

Did you hear the one about the company that was fined £225,000 for failing to register under the Packaging Waste Directive? Or the one about the company charged £80,000 for running a waste business without the appropriate permit? This is no laughing matter. Ten years ago the European Commission positioned itself as an enforcer of environmental laws rather than simply as a legislator. Since then regulatory authorities in the UK have been given increasing powers to prosecute wrongdoers. The power to investigate and penalize has seeped into local authorities and government agencies. It is no longer the sole preserve of the police to interview and charge someone whom they suspect has committed a criminal offence. Nowadays, powers once administered by the police may equally be utilized by your local health and safety officer.

Tuesday, October 13, 2009

Many people’s perception of climate change is that it will lead to warmer conditions and that in the UK, where weather is a perennial topic of conversation, this must be a good thing. Something that many people fail to grasp is that climate change equals global warming equals disruption of the weather patterns that we have grown up with. There have been many instances of freak weather in the last hundred years or so, but generally weather patterns across the globe have been fairly stable. However, as we all know, this is starting to change. The Gulf Stream brings warm ocean currents across the Atlantic from the Gulf of Mexico. This has a positive impact on the weather of the UK, particularly on the west side. Toronto in Canada, for example, is further south than the UK but has much more severe winters. Disruption to the Gulf Stream could mean a dramatic change in the UK’s climate. The debate about whether climate change is being caused by natural cycles or human intervention rumbles on. The knowledge of past events on our planet proves conclusively that weather patterns go through cycles – for example ice ages – and we may be entering one of these new cycles. However, it is also certain that we have been polluting the planet to unprecedented levels since the industrial revolution, and the likelihood is that this is contributing to climate change. Some governments and organizations have looked only at the short-term view in relation to climate change issues, but things are improving and there now seems to be a much stronger will to ‘save the planet’ before it is too late. Whether we have yet reached the tipping point or whether we can, or will, have any impact on reversing or slowing down climate change remains to be seen, but everyone has a moral obligation to participate in the process.

Does the term ‘environmental risk’ conjure up images of risk to business by environmental activities or risk to the environment by business activities? It’s an interesting – and interlinked – question. When businesses talk about environmental risk, more often than not the risk is taken to mean risk from the environment rather than risk to the environment. More companies are concerned by the risk that environmental factors can have upon operations and profitability than the impact that running a business has upon the environment. The effect the environment can have upon a business is particular to that operation; in other words, no two businesses will be affected in the same way, and the results can be devastating. The effect of recent summers’ torrential rain and flooding has shown how business and communities can be left in ruins. Incredibly, according to the Environment Agency, small businesses are now more at risk of flooding than of fire. The need to have emergency plans in place in the event of business disruption emanating from such natural phenomena is obvious.Conversely, the effect of one business upon the environment cannot be taken in isolation; its effect is cumulative and contributes to change on a global scale. Despite the best efforts of the recent Republican candidate for the US vice-presidency, Sarah Palin, to advise us to the contrary, few remain in doubt that human behaviour is having a fundamental impact on accelerating and worsening climate change.

Operational risks are those associated with the failure of systems, people or processes, or that result from the impact of external events. Therefore it is clear that businesses have always managed operational risk. They have taken steps to prevent theft and fraud and have introduced checks and balances to pick up the basic human errors that beset all businesses. Since computers have become a commonplace of business life, we have created a dizzying array of passwords, firewalls and encryption methodologies to ensure that our data remain secure, and we have insured our business assets against fire, theft, flood, earthquake and other natural disasters. All of these actions are designed to protect us against the adverse impact of operational risk. On the whole, however, firms have not found it necessary to model or seek to quantify operational risk exposures. They have identified and ranked risks in relative terms as being high, medium or low risks, but have not sought to apply a financial value to such exposures. For financial institutions this situation changed with the advent of Basel II, the name commonly applied to the guidance provided by the Committee for Banking Supervision of the Bank for International Settlements on the appropriate level of capital that internationally active banks should set aside to protect themselves against risk. Under the previous system (commonly referred to as Basel I), capital was set aside to cover credit risk (on the basis of a set amount to be held against money lent regardless of the quality of the borrower) and market risk. Basel II, however, seeks to create a risk-sensitive, forward-looking capital adequacy assessment that will assess levels of credit, market and, for the first time, operational risk that are present in the bank concerned and assign capital based on these levels of risk.The Committee sets out the methodologies that banks should use to calculate their exposure to operational risk.1 At the most basic level, capital is calculated by using a proxy (average net interest income plus average net non-interest income over the previous three years) and multiplying this value by a risk factor designed to be indicative of the level of operational risk in the market. Such methods involve no risk analysis but merely provide a number for capital adequacy purposes. The road is, however, open for more ambitious institutions to opt for the Advanced Measurement Approach and develop a modelled approach to the quantification of operational risk.The motivation for a bank to model operational risk exposures has therefore originated through regulatory imperative, but the process has commercial benefits that flow across industry and business sectors and stretch beyond the regulated financial services sector. Let us say, for example, that we detect a flaw in a system and process that exposes us to loss and we believe the risk to be ‘high’. However, the event has yet to produce a tangible loss. We want to avoid such a loss, but how will we be able to build a business case to support the level of expenditure we need to correct the flaw? Those responsible for the company purse strings are unlikely to be swayed by a red traffic light in a risk report when asked to release a possibly significant sum to resolve the flaw. It is useful in such cases to be able to indicate a monetary scale for the potential risk so that a proper cost–benefit analysis can be carried out. To produce this estimate of exposure we will need to develop an operational risk model

In 1999, the Organisation For Economic Co-operation and Development (OECD) – a body where 30 of the most economically advanced nations of the world come together to devise policies to foster economic growth and the expansion of world trade – published its OECD Principles of Corporate Governance. This highly influential report argued that identifying and managing risk are a fundamental part of top management’s job, and that boards of directors should:■ establish a risk policy;■ institute a system for risk management;■ be fully informed about risk (ie be provided with accurate, relevant and timelyinformation, and training if necessary);■ deal with risk with due diligence and care;■ disclose (eg by publishing in their annual report) all material risk factors and how risk is monitored and managed by their organization.The OECD principles were endorsed by OECD ministers in 1999 and revised in 2004. They are now the international benchmark on corporate governance for policy makers, regulators, investors, corporations and other stakeholders worldwide. The OECD principles and subsequent events show that managing risk well is important because policy makers, regulators and investors require that it is done well. It is indeed a crucial part of good management – with the potential for catastrophic loss if not done well, ie loss at a level that the organization concerned cannot sustain without outside assistance, or at all. As a result, today, annual reports report on risk management practices and highlight key risks with increasing clarity and sophistication. Given the global credit crisis, it doesn’t take a crystal ball to see that the pressure to manage risk well will intensify in the near term.

Integrating security risk management into mainstream businessHistorically, security management in hotels could be characterized as fragmented, uncoordinated and reactive. It was certainly not seen as central to the success of the business. Given the largely static security environment of hotels in the past, this approach was, however, probably effective enough in mitigating the security risks that confronted international hotel brands. As hotels themselves shifted from being largely individually owned to the international brands that currently populate business travellers’ lodging options, sets of brand standards emerged that attempted to guarantee a consistently good hotel experience for frequent travelers across the brand. In most cases, however, the move to brand consistency had little impact on security management, which had tended to become somewhat detached from developments elsewhere in the hotel sector and had become something of an organizational anachronism (even if still reasonably effective in responding to routine security issues).At the same time, the risk environment in which hotels operated was changing. Developments in the political, economic, social, technological and legal spheres were presenting new challenges as well as opportunities for hotel security risk management. The most salient element of this shift was the emergence of international terrorism, and this was made abundantly clear when al Qaeda in Iraq carried out simultaneous suicide attacks against three international hotels in Amman in November 2005. This was not, however, the only element in the security spectrum that had changed. The end of the Cold War had shifted the global security paradigm in other areas that now affected hotel risk management, such as identity theft and money laundering. National catastrophes such as the Asian tsunami and Hurricane Katrina in recent years also challenged the security departments of international hotel brands to prepare and respond to significantly higher-impact events. Similarly, security (and risk) departments became the first port of call for senior hotel management when faced with events such as the conflict in Lebanon in 2006 and 2007 and newly emerging threats such as cyber-crime. It became clear to IHG during this period that the traditional, fragmented and reactive approach to hotel security was not able to provide the desired level of sophisticated protection against a rapidly more complex and ambiguous threat environment; nor was it well placed to meet the increasing expectations placed on hotels to prevent, prepare for, respond to and recover from major risk incidents. IHG therefore carried out a far-reaching analysis of its existing security capacity set primarily against the benchmark of the international terrorist threat and developed a strategy of threat-based security risk management. The consequences of this study were to have a profound effect on the company’s perception of both the security risks and the consequent mitigation strategy.

Disputes represent an obvious risk for organizations; they can be costly in terms of fees and opportunity costs (lost management and executive time), and can be a threat to an organization’s reputation. Even with the best risk management systems in place, it is almost inevitable that an organization will be faced with a dispute at some stage. While it might not be possible in all cases to prevent disputes from arising, an organization can control how it responds to a dispute. The traditional approach, taken by organizations when responding to commercial disputes, has been to consider their legal position and, if there was a genuine relationship between the parties to preserve, initiate negotiations. If negotiations failed, the next step was to commence litigation proceedings in the courts.In more recent times, organizations have realized the importance of managing disputes before they escalate to the point of litigation. In-house and external lawyers now consider whether an alternative dispute resolution mechanism can be applied to a dispute while it is in its early stages. This is because the costs involved in litigating a matter to trial are often grossly disproportionate to the amount that is at stake. As litigation progresses, management and executives are required to devote more time and attention to the dispute, particularly when parties are required to disclose relevant documents to the other side and submit detailed evidence to support a case.Managers should be aware that litigation is not the only way to resolve a dispute. There are a number of other methods that exist, collectively described as ‘alternative dispute resolution’ (ADR) procedures, which are being increasingly used effectively to manage disputes and their consequent risks. In the UK, the courts first formally recognized ADR in 1998, with the introduction of the new court rules (known as the Civil Procedure Rules – CPR). Under the CPR, the court is charged with the duty of case management, and part of that duty includes encouraging parties to use ADR if the court considers it appropriate. In this chapter, we briefly outline three forms of ADR that have become morepopular in the UK’s commercial arena in recent times.1 We then focus on mediation, the most commonly used ADR mechanism in the UK. We conclude with a discussion of the costs risk to which organizations are exposed if they do not consider using ADR when faced with a commercial dispute

The European Commission is so certain that litigation costs adversely affect the take-up of patent rights that it has proposed that anyone applying for a European patent should be required to have compulsory patent litigation insurance. A study for the Commission determined the average amount spent by each party in a patent infringement action in a number of EU countries. Considering both the first instance trial and the cost of an appeal, the most expensive country was the UK, where on average each party spent N980,000. In Germany, where there has to be both an infringement action and a separate nullity action, the costs to have both issues tried and then reviewed on appeal are about N730,000 for each party. The party spend in France, by contrast, are of the order of N125,000 each. However, the same study worked out a litigation ratio for each country and determined that the number of patents that are the subject of proceedings remains very low. The number of European patents in force in various countries was determined and divided by the number of patent infringement actions started per annum to determine a litigation ratio indicating the incidence of patent litigation. So in France, where 250,000 European patents are currently in force and 50 patent actions are started a year, the litigation ratio is 1:5,000. Only 50 per cent of patent actions in France proceed to trial and judgment, so a similar calculation gives a first judgment ratio of 1:10,000. The comparable figures forthe United Kingdom are a litigation ratio of 1:2,000 and a ratio to first judgment of 1:8,000. Thus in most countries across Europe very few patents are the subject of litigation. Even where an action is started, at least half are settled before trial. In the United Kingdom, only about 20 actions a year go to trial, which is one-sixth of those started. It is accepted that the cost of patent litigation in all European countries is significant. However, the level of expense incurred in litigation in the UK is generally higher than that seen in other European countries. This difference in cost arises out of differences in process.

If the assumption is that change brings litigation, then the plethora of legal, regulatory and social changes that businesses have faced in the last 10 years alone should have the courts braced for the litigation floodgates to open. A recent report titled prepared by Lloyd’s of London in cooperation with the Economist Intelligence Unit, warns that the UK is increasingly facing a US-style compensation culture. But warnings of increased litigation are nothing new. In 2004, the then chairman of the Financial Services Authority, Callum McCarthy, warned that the UK was at risk of losing its advantage as a less litigious society than the United States. Similarly, in recent months the legal and mainstream press has devoted columns of print warning of impending credit crunch litigation. Yet are such warnings

Risk expert Myles Shevlane believes a number of factors were to blame for the sub-prime mortgage crisis, but a significant root cause factor was the reliance on conventional credit scoring and underwriting practices. The introduction of modern automated underwriting systems along with advancements in analytics, such as use of credit scoring and risk-based pricing, gave the banks a false level of security and encouraged a rapid expansion in sub-prime lending. So now banks face a dilemma: whether to return to a historical human-based lending assessment process or look to stick with the current highly automated scoring-based approach. It has been recognized that development in automated underwriting technology has played a significant role in encouraging lenders to penetrate deeper into the sub-prime loan pool. To a large extent, sub-prime lenders believed any additional risk they were taking on was covered using advances in credit scoring and scoring system policy overlays. This enabled them to effectively price that risk and charge borrowers on the basis of their fully quantified creditworthiness. This has contributed to the rapid development of the sub-prime loan market1 and has created greater access to home ownership for some segments of borrowers, such as low-income and minority households.The magnitude of the current crisis makes it abundantly clear that there is significant room, and need, for improvement in current credit assessment approaches. There are two fundamental problems that contributed to the weakened underwriting standards and degraded loan quality. First, credit scoring has not done an adequate job of assessing risk in the subprime mortgage market. The majority of the sub-prime mortgages underwriting systems were not, in fact, capturing ‘the full range of risk factors in the market’.2 In particular, their conventional risk models were applied to non-conventional loan products, which are associated with different payment terms and behaviour. Improper use of credit scoring and automated underwriting presented incomplete risk analyses and weakened underwriting standards and policy. The end result has been a drop in loan quality.3 Lenders are now re-evaluating their lending procedures and tightening their lending standards in an effort to improve loan quality. This effort will inevitably involve underwriting technology improvement, which includes strengthening process integrity and upgrading scoring and automated underwriting system components. The system component upgrade will entail evaluation of the adequacy of data, current modelling practices and risk measurement frameworks. Second, there is a blind spot in today’s underwriting practices. That is, current practices over-rely on quantitative models and automated underwriting systems. Technology has a vital role in boosting efficiency and helping to measure and monitor credit risk. The models have their place and part to play. However, we need to control the models instead of the other way around. Loans first need to be properly classified and then risk-rated. Today’s process has that back to front. New and improved ways for addressing limitations of credit-scoring systems and evaluating credit risk will be in demand. Simply recalibrating existing models andthrowing more of the same technology at the problem will not fix it.

One of the challenges of modern credit risk management is the application of robust analytical techniques against an ever-changing background of economic conditions, technological advances, regulatory changes and customer demands. The current economic climate is especially demanding with the ‘credit crunch’; increasing costs of essential items and falling house prices are putting a number of households under significant financial pressure. Annual bad debt losses run into billions of pounds, and recent events have put the results of most institutions under an even more intense spotlight. Increases in funding costs and regulatory pressure in areas such as fees and insurance have put further pressure on profit margins. The combination of these two factors makes the credit risk manager’s job of lending to the right customers profitably even more crucial. Given the uncertainty, many institutions have been comfortable to restrict lending over the past year; however, the pressure will soon resume to grow lending and deliver the results shareholders expect. This article looks at the challenges currently faced by senior credit risk professionals and the role more effective data use can play in all aspects of the credit life cycle.

Bring together four people into one room. Make one an insurer, another a health and safety expert and the third a business consultant. The final person is a manufacturer. The subject of their discussion is risk management. Like motherhood and apple pie, risk management is deemed to be a good thing. But why? Each party will have its own view.

Is reputation risk a risk in itself or is it the consequence of other risk? According to an Economist Intelligence Unit (EIU) report in 2005 called Reputation: Risk of Risks, 52 per cent of survey respondents considered reputation risk as a risk in itself, while 40 per cent considered it a consequence of other risks. However, the report suggests there is a difference in views between corporate entities and financial services companies as to the relative importance. For the former, reputation risk is considered a risk in itself, whereas the latter consider it a second-tier risk. Furthermore, a 2008 EIU report called The Bigger Picture: Embracing Enterprise Risk Management highlighted that trust in financial services firms has been eroded owing to the credit crisis, resulting in reputational risk becoming more important now than ever before. In this latest EIU survey, 62 per cent of respondents say that protection against loss and damage to reputation is one of the most important benefits of an ERM strategy.During the course of this chapter we will look at reputation risk, in itself an umbrella of risk, since any breach in operational, credit or market risk can directly affect a company’s reputation. Clearly, some risks have a greater effect on reputation than others, and these will be identified. The calculation of value at risk (VaR) will be explored, alongside various approaches that could be taken in expressing the cost that could be incurred by a particular risk were it to transpire. Finally the chapter will cover strategies and mitigation actions that have been used by financial services companies when an adverse event has taken its toll on their reputations.

It is widely accepted that a reputation can take a lifetime to build and a moment to tarnish, sometimes irreparably. Reputation has been described as being the culmination of many good things lost in one bad deed. But a reputation remains an intangible asset, almost impossible to quantify. It can be a nebulous concept, even more difficult to value than other intangible assets such as the knowledge or experience of employees. Preserving and enhancing reputation are becoming increasingly difficult tasks for businesses. The very technology that once gave them a competitive edge can now be used against them. Customers and employees are more sophisticated, more discerning and more readily prepared to mobilize. Legal and regulatory developments have become a more burdensome reality to test even the most unshakable of reputations. What is clear however is that reputation is often the primary indicator of every other risk a business faces. Ultimately, it is the sum of all parts.

Increasingly, the word ‘uncertainty’ is being used in place of ‘risk’. Many of the definitions of ‘risk’ found in risk management guidelines and standards are of the type: ‘risks may represent threats as well as opportunities’. Alternatively, there are processes that deal with risks and opportunities, the two being treated as separate and distinct. This stylized representation of uncertainty limits the way risk managers record, analyse and assess risks, and constrains the relationship between the risk management process and that to which it is being applied. Risks (and opportunities) are defined in relation to what we will call the ‘base position’ (cost estimate, project schedule, operational process, etc). However, how do we tell if that base position was optimistic or pessimistic, realistic or fantastic?The answer is: we cannot, except by inference from the level of assessed risk exposure. From a strategic perspective, it is hard to understand what the results of a risk management process are telling us. Is a given project really extremely risky, or is it merely that the base cost estimate was extremely optimistic?This issue, which relates to the context in which any risk management process is implemented, is typically dealt with through phrases like ‘following good industry practice’, ‘benchmarking’, etc, to give credibility and confidence in the base position. However, since each project is unique, and given that the same set of risks can be and are looked at from different perspectives (eg a client organizationissuing a tender as against bidders competing for the work), how can we compare the risks identified by each party without understanding how optimistic or pessimistic each base position is from a strategic perspective? Can a senior decision maker be confident that the risk management process takes the optimism or pessimism of the base position into account, particularly if the personnel taking part in the risk management process are not aware of that information themselves? It is apparent, therefore, that many current risk management standards and processes are not sufficiently sophisticated to address the complexities, nuances and additional dimensions of uncertainty.

Over the last two decades, business risk management has evolved and established itself as a key management discipline. Many organizations use sophisticated systems to help them measure and control the multitude of different risks facing today’s businesses. However, with the increasing understanding of different disciplines of risk, risk management practices have developed in a fragmented way. Specialist teams and departments within the same organization manage different types of risk, such as operational, financial, compliance and project risk, without much coordination between them. The publication of COSO’s Enterprise Risk Management Framework in 2004 challenged the ‘silo’ view of business risk by introducing the concept of integrative organization-wide risk frameworks. These aim to harmonize the risk management approaches across different departments and enhance the organization’s ability to take an overview of its aggregate risks. Risk at operational level is generally well understood, and some type of bottomup risk management system of risk identification and reporting is used by the majority of businesses. However, systematic risk management is not always embraced with the same rigour at higher levels of the organization. Risk is perceived to be mainly the responsibility of executive units – the financial department or the health, safety and security, or risk functions. Most organizations may still be reluctant to recognize risk as an important strategic driver.Board directors lead the development of corporate strategy, but may not take an equally active role in the identification and management of the risks that may threaten the delivery of the strategy. Risk identification and management are not seen as an inherent part of strategic development and, as a result, risks associated with strategic plans tend to be ignored or underestimated. Consequently, management is unable to allocate appropriate levels of resources to ensure that strategic risks can be effectively mitigated. The role of leadership teams in ensuring that key business risks are understood and successfully managed by the organization is crucial. The discussion that follows sets out the different ways that today’s business leaders can contribute to effective business risk management in order to enhance the organization’s ability to protect itself against strategic threats, while at the same time enhancing its ability to generate value.

Today, banks are facing more regulatory requirements, more stringent rating agency oversight, and investor confidence issues. To meet these new challenges, many organizations are examining their policies, methodologies and infrastructure (PMI). These three building blocks form the core of any enterprise risk management environment (Crouhy, Galai and Mark, 2005).Policies define the tolerance that an organization has for risk. The policies should be consistent with business strategy and should be communicated both internally and externally. The methodologies are the underlying mathematical models that are tied back into performance management. These models must be properly designed, implemented and vetted. The infrastructure refers to having the appropriate people and operational processes (such as data, software, systems, etc) in place to control and report on the risks (Crouhy, Galai and Mark, 2005).In the past 10 years, there have been countless books, journal articles and other published works that describe a plethora of different ways an organization can calculate risk measures. These vary from a measure that looks only at one specific risk factor to more integrated measures, for example economic capital.Over the years, the market has endured the US savings and loan crisis, the October 1987 market correction, the 1997 Asian financial crisis, and more recently the 2007 sub-prime mortgage crisis in the United States, now affecting the global banking community. Every one of these market events stresses the importance of having good risk measures and good risk management policies, methodologies and infrastructure. Of these three challenges, the bank is responsible for establishing its own policies and methodologies. These policies and methodologies will be influenced by the internal management organization as well as external factors such as regulatory oversight and investor confidence.The third challenge, infrastructure, is where the bank may benefit from external, third-party experience in terms of personnel, business processes and information technology (IT). While many banks have internal IT departments, most will agree that technology is not part of a bank’s core competencies. In this case, it may be best for the organization to leverage the knowledge, experience and products from third parties that do have hardware and software development among their distinctive core competencies. This chapter will focus on the information technology infrastructure required to support good enterprise risk management policies and methodologies.

Global recalls of seemingly obscure but omnipresent raw materials and ingredients; international food safety scares over staple foods; concerns and confusion around when, and at what level, the presence of certain chemicals in food or packaging is a hazard; labelling confusion and verification disputes…These kinds of food and drink health and safety scares are becoming ever more commonplace all over the world and in all sectors, from flavours to baby food and confectionery. And, increasingly, they illustrate why conventional ways and means of anticipating and dealing with risk and full-blown food-borne threats are no longer adequate and demand a rethink.This chapter looks at a new momentum in cross-silo collaboration in risk management in this industry, as well as the supply chain drivers that are forcing boardroom teams to sit up and take notice of risk and reputation management as central planks of their business strategy and brand longevity.

There are many good reference texts on risk management; here are quotes from a few good examples:■ ‘Risks are present in every business activity we undertake’ (OGC, 2007b).■ ‘Executives ignoring the threats from their competitors run the risk of their organization lagging behind and losing market share, whilst the organizations who embrace risk, often gain advantage and capitalize on opportunities’ (IoD, 2006).■ The objective of risk management is ‘To add maximum sustainable value to all the activities in the organization. It marshals the understanding of the potential upside and downside of all those factors which can affect the organization. It increases the probability of success, and reduces the probability of failure and the uncertainty of achieving the organization’s overall objectives’ (IRM, AIRMIC and ALARM, 2002).So, is it better to take on risk or avoid it? The benefits of managing risk should be obvious, but while there is much written on how to manage business or strategic risk and programme or project risk there is little text available on how to manage risks within a business change environment. To put this into context, consider Outperform’s business change wheel in Figure 1.3.1. If you start at the top of the figure, and set the organization off in the right direction, you will be setting the strategy. At the next level, you will: identify the changes necessary to meet the business strategy; and track and monitor the benefits accrued by the successful delivery of programmes and projects that were developed to meet the key performance indicators set by the strategy. This chapter is focused on how to manage risks at this level, called ‘right projects’.

Enterprise risk management (ERM) provides a means to improve business practice and culture proactively. However, it also has its roots in selecting the correct mix of risk controls and, indeed, solutions for an organization’s unique risk appetite, tolerance and capital structure. Regulation has been a driver of ERM in the majority of industries, especially for highly regulated sectors such as banking, insurance, and energy and utilities, but its broader benefits in optimizing risk treatment choices are starting to be leveraged more effectively.

One of the most important challenges for management today is determining the risk appetite of the corporation. Current economic uncertainties, scandals such as Enron, Parmalat and WorldCom, and a generally complex business environment have created the need for a robust framework that enables management to evaluate and improve risk management and provide confidence to board members, investors, regulators, investors and rating agencies.Determining the risk appetite requires a clear articulation of the company’s approach to risk taking, including the nature of the risks, the amount of risk the company wants to carry and the desired balance of risk and reward. Running a business of any size involves choices, and the board’s aim will be to match the effect of decisions as closely as possible to the risk appetite and for the implications of those policies to follow through into day-to-day operations. Maximizing returns while remaining within the risk limits is, clearly, not a new concept. What has changed is the rigour and comprehensive approach that companies are increasingly expected to apply to the identification, measurement and management of the uncertainties involved across the board: to strategic, financial, operational and hazard-related risks.Regulators and rating agencies want assurance that the company applies a robust approach to all the risks to which the business is exposed in a global way, not one that buys fire insurance for its buildings but fails to anticipate a competitor’s attack on a valuable intangible asset or that becomes aware too late that an acquisition has a legacy of environmental pollution exposures from discontinued activities. The traditional risk management approach starts with categorizing risks, important because it permits the company to define and organize the risk management functions and activities. Classification makes risk manageable. At the same time, it tends to compartmentalize it.Within such confines, the risks may be well managed, but the business can remain vulnerable because the global view is missing. Interrelated exposures, cross-enterprise risks and gaps in responsibilities may not be evident from the perspective of a business unit or function, but, nonetheless, they must be managed or they will remain a threat to the company’s objectives and the legitimate expectations of shareholders and regulators. Furthermore, the traditional risk management approach focuses on loss prevention for tangible assets rather than on creating opportunities through tangible and intangible assets.This sets the scene for enterprise risk management (ERM). ERM differs from risk management in scale, comprehensiveness and volume. By definition, the scope of the investigation is the enterprise, but this does not mean that it addresses all risks equally or that there is no focus on critical areas. Its aim is to make management aware of the necessity for communication and coordination across the different risk silos, and of taking a global view. There are many definitions of ERM. My company has adopted the following:‘Understanding the key risks facing the entire organization, and aggregating this information, so that the right decisions can be made about where to allocate capital to facilitate business improvement.’Thus, the value of ERM goes beyond compliance and avoidance of surprises to better usiness performance and more efficient use of capital. Armed with robust information about the company’s exposures and their relative weight, the directors will be able to take strategic decisions that maximize opportunities within the defined risk appetite.Further, if the analysis highlights interrelationships between risks, it may be possible to change processes or locations, create controls to reduce the exposure or use insurance to bring it to an acceptable level. It should also enable the company to spot opportunities that would be only weakly correlated or that would diversify risk with its existing activities. In this way, a company can exploit business opportunities that would otherwise make its exposure to risk unacceptable